My name is Patrick Mann and I’m a security tester on the IE team. A big part of my job is to research potential IE security vulnerabilities reported to Microsoft by 3rd parties: security vendors, site developers, or simply observant users. These folks do the browsing public a great service by working with us to eliminate vulnerabilities before they can be exploited. However, I’ve also noticed that there are some misconceptions about IE security that lead people to worry about perceived security issues that are not actually vulnerabilities, or in fact expected behavior. I’d like to discuss some of the more common cases.
Today’s topic is status bar “spoofing” – using the status bar to trick users into believing they are on a trusted site, when they are not. Users typically rely on multiple cues to make trust decisions: the address bar, the page content, the lock icon, and also the URL displayed in the status bar when hovering over a link. But not all of these are equally good indicators.
The address bar and lock icon are completely under the control of IE; these are reliable indicators. Now I know this will provoke comments about address bar spoofs in the past – rest assured that we treat those as high priority security issues for the very reason that users should be able to trust the address bar content. However, I want to focus on security misconceptions here, so let’s get back on track… The page content is obviously controlled by the web site, so it is not a good basis for making a trust decision. What about the status bar text?
Here’s where things become a bit tricky, because status bar text is used both by IE and the web site. It is not necessarily obvious who is responsible for a given status message. To compound things: by providing the ability for web sites to have control over the status bar text, it becomes impossible for the browser itself to guarantee trustworthiness of the status bar’s messages. Sites can display arbitrary content in response to user interaction that by default would result in an IE status bar message: a user cannot tell whether a URL displayed in response to hovering over a link is generated by IE or by the web page.
In short, status bar text is not helpful in making trust decisions. Spoofing it or otherwise causing it to display false information doesn’t give rise to an actual security vulnerability, since the website hosting the status bar can pretty much make it behave the way it wants to.
So why did we make the status bar behave this way? And why wouldn’t we turn it off now? Fact is, that this functionality is used legitimately by a huge number of sites. Given that there are good ways of making trust decisions, it does not seem warranted to break all those sites.
What are the good ways of establishing trust? Always look at the address bar first. To be absolutely safe, check that the site certificate (double-click the lock icon) was issued to the site you think you are on before submitting any sensitive information. You can read more about protecting yourself against spoofing at http://www.microsoft.com/security/incident/spoof.mspx.
Hopefully this has clarified things. At the same time I urge you to report any potential security issues to firstname.lastname@example.org. I would much rather investigate 100 false positives than miss 1 real issue. You can read more about the Microsoft policy of working with and publicly acknowledging responsible reporters at http://www.microsoft.com/technet/security/bulletin/policy.mspx. For general security tips visit http://www.microsoft.com/protect.
To be continued …